SYSDB: sysdb_search_object_by_sid returns ENOENT

sysdb_search_object_by_sid returns ENOENT if no results are found.

Part od solution for:
https://fedorahosted.org/sssd/ticket/1991

Fixes:
https://fedorahosted.org/sssd/ticket/2520

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

src/db/sysdb.h

@@ -1035,7 +1035,7 @@ errno_t sysdb_search_object_by_sid(TALLOC_CTX *mem_ctx,
                                    struct sss_domain_info *domain,
                                    const char *sid_str,
                                    const char **attrs,
-                                   struct ldb_result **msg);
+                                   struct ldb_result **res);
 
 errno_t sysdb_search_object_by_uuid(TALLOC_CTX *mem_ctx,
                                     struct sss_domain_info *domain,

src/db/sysdb_ops.c

@@ -2994,7 +2994,14 @@ int sysdb_delete_by_sid(struct sysdb_ctx *sysdb,
     }
 
     ret = sysdb_search_object_by_sid(tmp_ctx, domain, sid_str, NULL, &res);
-    if (ret != EOK) {
+
+    if (ret == ENOENT) {
+        /* No existing entry. Just quit. */
+        DEBUG(SSSDBG_TRACE_FUNC,
+              "search by sid did not return any results.\n");
+        ret = EOK;
+        goto done;
+    } else if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, "search by sid failed: %d (%s)\n",
               ret, strerror(ret));
         goto done;
@@ -3007,12 +3014,6 @@ int sysdb_delete_by_sid(struct sysdb_ctx *sysdb,
         goto done;
     }
 
-    if (res->count == 0) {
-        /* No existing entry. Just quit. */
-        ret = EOK;
-        goto done;
-    }
-
     ret = sysdb_delete_entry(sysdb, res->msgs[0]->dn, false);
     if (ret != EOK) {
         goto done;
@@ -3564,61 +3565,10 @@ errno_t sysdb_search_object_by_sid(TALLOC_CTX *mem_ctx,
                                    struct sss_domain_info *domain,
                                    const char *sid_str,
                                    const char **attrs,
-                                   struct ldb_result **msg)
+                                   struct ldb_result **res)
 {
-/* TODO: use
     return sysdb_search_object_by_str_attr(mem_ctx, domain, SYSDB_SID_FILTER,
                                            sid_str, attrs, res);
-
-    when verified that all callers can handle ENOENT correctly. */
-
-    TALLOC_CTX *tmp_ctx;
-    const char *def_attrs[] = { SYSDB_NAME, SYSDB_UIDNUM, SYSDB_GIDNUM,
-                                ORIGINALAD_PREFIX SYSDB_NAME,
-                                SYSDB_OBJECTCLASS, NULL };
-    struct ldb_dn *basedn;
-    int ret;
-    struct ldb_result *res = NULL;
-
-    tmp_ctx = talloc_new(NULL);
-    if (!tmp_ctx) {
-        return ENOMEM;
-    }
-
-    basedn = ldb_dn_new_fmt(tmp_ctx, domain->sysdb->ldb, SYSDB_DOM_BASE, domain->name);
-    if (basedn == NULL) {
-        DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new_fmt failed.\n");
-        ret = ENOMEM;
-        goto done;
-    }
-
-    ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res,
-                     basedn, LDB_SCOPE_SUBTREE, attrs?attrs:def_attrs,
-                     SYSDB_SID_FILTER, sid_str);
-    if (ret != EOK) {
-        ret = sysdb_error_to_errno(ret);
-        DEBUG(SSSDBG_OP_FAILURE, "ldb_search failed.\n");
-        goto done;
-    }
-
-    if (res->count > 1) {
-        DEBUG(SSSDBG_CRIT_FAILURE, "Search for SID [%s] returned more than " \
-                                    "one object.\n", sid_str);
-        ret = EINVAL;
-        goto done;
-    }
-
-    *msg = talloc_steal(mem_ctx, res);
-
-done:
-    if (ret == ENOENT) {
-        DEBUG(SSSDBG_TRACE_FUNC, "No such entry.\n");
-    } else if (ret) {
-        DEBUG(SSSDBG_OP_FAILURE, "Error: %d (%s)\n", ret, strerror(ret));
-    }
-
-    talloc_zfree(tmp_ctx);
-    return ret;
 }
 
 errno_t sysdb_search_object_by_uuid(TALLOC_CTX *mem_ctx,

src/responder/nss/nsssrv_cmd.c

@@ -4491,20 +4491,10 @@ static errno_t nss_cmd_getbysid_search(struct nss_dom_ctx *dctx)
 
     ret = sysdb_search_object_by_sid(cmdctx, dom, cmdctx->secid, NULL,
                                      &dctx->res);
-    if (ret != EOK) {
-        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to make request to our cache!\n");
-        return EIO;
-    }
-
-    if (dctx->res->count > 1) {
-        DEBUG(SSSDBG_FATAL_FAILURE, "getbysid call returned more than one " \
-                                     "result !?!\n");
-        return ENOENT;
-    }
-
-    if (dctx->res->count == 0) {
-        DEBUG(SSSDBG_OP_FAILURE, "No results for getbysid call.\n");
+    if (ret == ENOENT) {
         if (!dctx->check_provider) {
+            DEBUG(SSSDBG_OP_FAILURE, "No results for getbysid call.\n");
+
             /* set negative cache only if not result of cache check */
             ret = sss_ncache_set_sid(nctx->ncache, false, cmdctx->secid);
             if (ret != EOK) {
@@ -4513,6 +4503,15 @@ static errno_t nss_cmd_getbysid_search(struct nss_dom_ctx *dctx)
             }
         }
         return ENOENT;
+    } else if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to make request to our cache!\n");
+        return EIO;
+    }
+
+    if (dctx->res->count > 1) {
+        DEBUG(SSSDBG_FATAL_FAILURE, "getbysid call returned more than one " \
+                                     "result !?!\n");
+        return ENOENT;
     }
 
     /* if this is a caching provider (or if we haven't checked the cache

src/responder/pac/pacsrv_cmd.c

@@ -297,17 +297,17 @@ static void pac_lookup_sids_done(struct tevent_req *req)
             msg = NULL;
             ret = sysdb_search_object_by_sid(pr_ctx, dom, entries[c].key.str,
                                              NULL, &msg);
-            if (ret != EOK) {
-                DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_object_by_sid " \
-                                          "failed.\n");
+            if (ret == ENOENT) {
+                DEBUG(SSSDBG_OP_FAILURE, "No entry found for SID [%s].\n",
+                      entries[c].key.str);
+                continue;
+            } else if (ret != EOK) {
+                DEBUG(SSSDBG_OP_FAILURE,
+                      "sysdb_search_object_by_sid failed.\n");
                 continue;
             }
 
-            if (msg->count == 0) {
-                DEBUG(SSSDBG_OP_FAILURE, "No entry found for SID [%s].\n",
-                                          entries[c].key.str);
-                continue;
-            } else if (msg->count > 1) {
+            if (msg->count > 1) {
                 DEBUG(SSSDBG_CRIT_FAILURE, "More then one result returned " \
                                             "for SID [%s].\n",
                                             entries[c].key.str);
@@ -911,10 +911,13 @@ pac_store_membership(struct pac_req_ctx *pr_ctx,
 
     ret = sysdb_search_object_by_sid(tmp_ctx, grp_dom, grp_sid_str,
                                      group_attrs, &group);
-    if (ret != EOK) {
-        DEBUG(SSSDBG_TRACE_INTERNAL, "sysdb_search_object_by_sid " \
-                                      "for SID [%s] failed [%d][%s].\n",
-                                      grp_sid_str, ret, strerror(ret));
+    if (ret == ENOENT) {
+        DEBUG(SSSDBG_OP_FAILURE, "Unexpected number of groups returned.\n");
+        goto done;
+    } else if (ret != EOK) {
+        DEBUG(SSSDBG_TRACE_INTERNAL,
+              "sysdb_search_object_by_sid for SID [%s] failed [%d][%s].\n",
+              grp_sid_str, ret, strerror(ret));
         goto done;
     }
 

src/tests/sysdb-tests.c

@@ -4861,13 +4861,10 @@ START_TEST (test_sysdb_search_return_ENOENT)
     talloc_zfree(res);
 
     /* Search object */
-    /* TODO: Should return ENOENT */
     ret = sysdb_search_object_by_sid(test_ctx, test_ctx->domain,
                                      "S-5-4-3-2-1", NULL, &res);
-    fail_unless(ret == EOK, "sysdb_search_object_by_sid_str failed with "
+    fail_unless(ret == ENOENT, "sysdb_search_object_by_sid_str failed with "
                              "[%d][%s].", ret, strerror(ret));
-    fail_unless(res->count == 0, "sysdb_search_object_by_sid_str should not "
-                                 "return anything.");
     talloc_zfree(res);
 
     /* Search can return more results */